<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microsoft Defender ATP - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/microsoft-defender-atp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/microsoft-defender-atp/feed.xml" rel="self" type="application/rss+xml"/><item><title>Microsoft Defender ATP Alert Aggregation and Correlation</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-defender-atp-alerts/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-defender-atp-alerts/</guid><description>This analytic aggregates and summarizes alerts from Microsoft Defender ATP, enriching them with MITRE ATT&amp;CK context and risk scoring for improved correlation and risk-based alerting.</description><content:encoded><![CDATA[<p>This analytic focuses on enhancing alert data originating from Microsoft Defender ATP. Instead of detecting entirely new activity, it leverages existing alerts to provide a more comprehensive picture of potential threats. The Splunk search aggregates and summarizes alerts, extracting key information like source, file names, severity levels, process command lines, IP addresses, registry keys, signatures, descriptions, unique IDs, and timestamps. The primary goal is to enable security teams to correlate Microsoft Defender ATP alerts with other data sources, contributing to a risk-based alerting strategy within Splunk Enterprise Security. A key aspect is dynamically mapping MITRE ATT&amp;CK techniques associated with the alerts and dynamically setting risk scores based on the alert's severity as determined by Microsoft Defender ATP. The analytic also filters out any alerts where the verdict is &quot;clean&quot; to reduce noise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>Since this analytic consumes existing alerts, the attack chain represents a generic endpoint compromise scenario that would trigger Defender ATP alerts.</p>
<ol>
<li><strong>Initial Access:</strong> A user clicks a malicious link in a phishing email (T1566.001), leading to malware execution.</li>
<li><strong>Execution:</strong> The malicious attachment executes a PowerShell script (T1059.001) to download further payloads.</li>
<li><strong>Persistence:</strong> The PowerShell script creates a scheduled task (T1053.005) to ensure the malware runs after reboot.</li>
<li><strong>Defense Evasion:</strong> The malware attempts to disable Windows Defender Antivirus (T1562.001) using PowerShell commands.</li>
<li><strong>Command and Control:</strong> The malware establishes a connection to a remote C2 server (T1071.001) to receive instructions.</li>
<li><strong>Lateral Movement:</strong> The malware uses SMB (T1021.002) to spread to other machines on the network.</li>
<li><strong>Exfiltration:</strong> Sensitive data is compressed and exfiltrated (T1041) to an external server controlled by the attacker.</li>
<li><strong>Impact:</strong> Data is encrypted or deleted, resulting in a ransomware attack or data breach (T1485).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to data breaches, ransomware attacks, and significant business disruption. The impact depends heavily on the nature of the initial compromise and the attacker's objectives. While the number of victims is unknown, organizations relying solely on default Microsoft Defender ATP configurations without correlation and enrichment are at higher risk. The affected sectors are broad, as endpoint compromise is a common attack vector across all industries. Failure to detect and respond to these alerts promptly can result in significant financial losses, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Splunk search to your Splunk environment and tune the <code>ms_defender_atp_alerts_filter</code> macro to filter out known false positives in your environment.</li>
<li>Configure the Splunk Add-on for Microsoft Security to ingest alerts from Microsoft Defender ATP using the <code>ms:defender:atp:alerts</code> sourcetype, as detailed in the &quot;how_to_implement&quot; section.</li>
<li>Implement the Sigma rule <code>Detect Suspicious Defender ATP Alerts by Severity</code> to prioritize high and critical alerts for immediate investigation.</li>
<li>Investigate any alerts where the risk score, dynamically calculated from the alert severity, exceeds a threshold appropriate for your organization.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>endpoint</category><category>alert-correlation</category><category>risk-based-alerting</category></item></channel></rss>